Accepting request 637189 from security:netfilter

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/637189
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=63

_service

@@ -0,0 +1,13 @@
+<services>
+	<service name="tar_scm" mode="disabled">
+ 		<param name="scm">git</param>
+		<param name="url">git://netfilter.org/iptables</param>
+		<param name="revision">0800d9b46b377bc24f15af2c6ae22550b954b6e2</param>
+		<param name="versionformat">1.8.0.g@TAG_OFFSET@</param>
+	</service>
+	<service name="recompress" mode="disabled">
+		<param name="file">*.tar</param>
+		<param name="compression">xz</param>
+	</service>
+	<service name="set_version" mode="disabled"/>
+</services>

iptables-1.6.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
-size 639785

iptables-1.8.0.g85.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0479c1b53a84f66eda0d9484d1a15c9a644049635bfe866af829df0976a1c737
+size 364504

iptables-batch.patch

@@ -3,31 +3,27 @@
  iptables/iptables-batch.c |  468 ++++++++++++++++++++++++++++++++++++++++++++++
  2 files changed, 477 insertions(+)
 
-Index: iptables/iptables/Makefile.am
+Index: iptables-1.8.0/iptables/Makefile.am
 ===================================================================
---- iptables.orig/iptables/Makefile.am
-+++ iptables/iptables/Makefile.am
-@@ -48,7 +48,16 @@ xtables_compat_multi_SOURCES += xshared.
- xtables_compat_multi_LDADD   += ../libxtables/libxtables.la -lm
- endif
- 
-+iptables_batch_SOURCES    = iptables-batch.c iptables.c xshared.c
-+iptables_batch_LDFLAGS    = ${xtables_multi_LDFLAGS}
-+iptables_batch_LDADD      = ${xtables_multi_LDADD}
-+ip6tables_batch_SOURCES   = iptables-batch.c ip6tables.c xshared.c
-+ip6tables_batch_CFLAGS    = ${AM_CFLAGS} -DIP6T
-+ip6tables_batch_LDFLAGS   = ${xtables_multi_LDFLAGS}
-+ip6tables_batch_LDADD     = ${xtables_multi_LDADD}
+--- iptables-1.8.0.orig/iptables/Makefile.am
++++ iptables-1.8.0/iptables/Makefile.am
+@@ -98,3 +98,12 @@ install-exec-hook:
+ 	for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
+ 	for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
+ 	for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
 +
- sbin_PROGRAMS    = xtables-multi
-+sbin_PROGRAMS   += iptables-batch ip6tables-batch
- if ENABLE_NFTABLES
- sbin_PROGRAMS	+= xtables-compat-multi
- endif
-Index: iptables/iptables/iptables-batch.c
++iptables_legacy_batch_SOURCES  = iptables-batch.c iptables.c xshared.c
++iptables_legacy_batch_LDFLAGS  = ${xtables_legacy_multi_LDFLAGS}
++iptables_legacy_batch_LDADD    = ${xtables_legacy_multi_LDADD}
++ip6tables_legacy_batch_SOURCES = iptables-batch.c ip6tables.c xshared.c
++ip6tables_legacy_batch_CFLAGS  = ${AM_CFLAGS} -DIP6T
++ip6tables_legacy_batch_LDFLAGS = ${xtables_legacy_multi_LDFLAGS}
++ip6tables_legacy_batch_LDADD   = ${xtables_legacy_multi_LDADD}
++sbin_PROGRAMS += iptables-legacy-batch ip6tables-legacy-batch
+Index: iptables-1.8.0/iptables/iptables-batch.c
 ===================================================================
 --- /dev/null
-+++ iptables/iptables/iptables-batch.c
++++ iptables-1.8.0/iptables/iptables-batch.c
 @@ -0,0 +1,468 @@
 +/*
 + * Author: Ludwig Nussel <ludwig.nussel@suse.de>

iptables.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Tue Sep  4 08:08:22 UTC 2018 - Markos Chandras <mchandras@suse.de>
+
+- Add missing update-alternatives dependency to Requires(post)
+  section. If this is missing the package fails to install properly
+  when it is used as build dependency.
+
+-------------------------------------------------------------------
+Mon Jul  9 09:38:13 UTC 2018 - jengelh@inai.de
+
+- Update to new upstream release 1.8.0 and snapshot 1.8.0.g75
+  * The ipv6 "srh" match can now match previous/next/last sid
+  * CONNMARK target now supports bit-shifting for restore,set
+    and save-mark.
+  * DNAT now supports shifted portmap ranges.
+  * iptables now comes in two backends: legacy and nft.
+
 -------------------------------------------------------------------
 Thu May 24 16:38:53 CEST 2018 - kukuk@suse.de
 

iptables.spec

@@ -17,29 +17,25 @@
 
 
 Name:           iptables
-Version:        1.6.2
+Version:        1.8.0.g85
 Release:        0
 Summary:        IP packet filter administration utilities
 License:        GPL-2.0-only AND Artistic-2.0
 Group:          Productivity/Networking/Security
 Url:            http://netfilter.org/projects/iptables/
 #Git-Clone:     git://git.netfilter.org/iptables
-Source:         http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
-Source2:        http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
+#Source:         http://netfilter.org/projects/iptables/files/%%name-%%version.tar.bz2
+#Source2:        http://netfilter.org/projects/iptables/files/%%name-%%version.tar.bz2.sig
+Source:         %name-%version.tar.xz
 Source3:        %name.keyring
 Patch3:         iptables-batch.patch
 Patch4:         iptables-apply-mktemp-fix.patch
 Patch5:         iptables-batch-lock.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-%if 0%{?fedora_version} || 0%{?centos_version}
-BuildRequires:  sgml-common
-%endif
-%if 0%{?suse_version}
-BuildRequires:  fdupes
-%endif
 #git#BuildRequires:  autoconf, automake >= 1.10
 BuildRequires:  bison
+BuildRequires:  fdupes
 BuildRequires:  flex >= 2.5.33
 BuildRequires:  libtool
 BuildRequires:  pkg-config >= 0.21
@@ -48,24 +44,27 @@ BuildRequires:  pkgconfig(libmnl) >= 1.0
 BuildRequires:  pkgconfig(libnetfilter_conntrack) >= 1.0.4
 BuildRequires:  pkgconfig(libnfnetlink) >= 1.0.0
 BuildRequires:  pkgconfig(libnftnl) >= 1.0.5
+Requires:       netcfg >= 11.6
 Requires:       xtables-plugins = %version-%release
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
 
 %description
 iptables is used to set up, maintain, and inspect the rule tables of
-the classic "ip6_tables" and "ip_tables" packet filters in the Linux
-kernel.
+the various Netfilter packet filter engines inside the Linux kernel.
 
-%package nft
-Summary:        nft packet filter administration utilties in the style of Xtables
+%package backend-nft
+Summary:        Metapackage to make nft the default backend for iptables/arptables/ebtables
 Group:          Productivity/Networking/Security
-Requires:       netcfg >= 11.6
-Requires:       xtables-plugins = %version-%release
+Requires:       iptables >= 1.8.0
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
 
-%description nft
-The programs shipped in this subpackage behave like iptables on the
-command line, but instead edits the rules of the nft packet filter in
-the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
-the features.
+%description backend-nft
+Installation of this package adds higher priority alternatives (cf.
+update-alternatives) that makes the iptables, ip6tables, arptables
+and ebtables commands point to a program variant that uses the
+nftables kernel interface.
 
 %package -n xtables-plugins
 Summary:        Match and target extension plugins for iptables
@@ -103,12 +102,12 @@ be modified in userspace prior to reinjection back into the kernel.
 ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue!
 
 %package -n libiptc0
-Summary:        Library for low-level ruleset generation and parsing
+Summary:        Library for the ip_tables low-level ruleset generation and parsing
 Group:          System/Libraries
 
 %description -n libiptc0
 libiptc ("iptables cache") is used to retrieve from the kernel, parse,
-construct, and load new rulesets into the kernel.
+construct, and load rulesets into the kernel.
 
 %package -n libiptc-devel
 Summary:        Development files for libiptc, a packet filter ruleset library
@@ -117,10 +116,10 @@ Requires:       libiptc0 = %version
 
 %description -n libiptc-devel
 libiptc ("iptables cache") is used to retrieve from the kernel, parse,
-construct, and load new rulesets into the kernel.
+construct, and load rulesets into the kernel.
 
 %package -n libxtables12
-Summary:        iptables extension interface
+Summary:        The iptables plugin interface
 Group:          System/Libraries
 
 %description -n libxtables12
@@ -147,26 +146,68 @@ xtables --variable=xtlibdir).
 
 %build
 # We have the iptables-batch patch, so always regenerate.
-if true || [ ! -e configure ]; then
-	./autogen.sh
-fi
+./autogen.sh
 # bnc#561793 - do not include unclean module in iptables manpage
 rm -f extensions/libipt_unclean.man
 # includedir is overriden on purpose to detect projects that
 # fail to include libxtables_CFLAGS
 %configure --includedir="%_includedir/%name" --enable-libipq
-make %{?_smp_mflags}
+%make_build V=1
 
 %install
-make DESTDIR=%buildroot install
+%make_install
+b="%buildroot"
 # iptables-apply is not installed by upstream Makefile
-install -m0755 iptables/iptables-apply %buildroot%_sbindir/
-install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
-rm -f "%buildroot/%_libdir"/*.la
+install -m0755 iptables/iptables-apply "$b/%_sbindir/"
+install -m0644 iptables/iptables-apply.8 "$b/%_mandir/man8/"
+rm -f "$b/%_libdir"/*.la
+rm -f "$b/%_sysconfdir/ethertypes" # -> netcfg
+
+for i in iptables iptables-restore iptables-save ip6tables ip6tables-restore \
+    ip6tables-save arptables arptables-restore arptables-save ebtables \
+    ebtables-restore ebtables-save; do
+	ln -fsv "/etc/alternatives/$i" "$b/%_sbindir/$i"
+done
 %if 0%{?suse_version}
 %fdupes %buildroot/%_prefix
 %endif
 
+%post
+update-alternatives \
+	--install "%_sbindir/iptables" iptables "%_sbindir/xtables-legacy-multi" 1 \
+	--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-legacy-multi" \
+	--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-legacy-multi" \
+	--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-legacy-multi" \
+	--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-legacy-multi" \
+	--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-legacy-multi"
+
+%postun
+if test "$1" = 0; then
+	update-alternatives --remove iptables "%_sbindir/xtables-legacy-multi"
+fi
+
+%post backend-nft
+update-alternatives \
+	--install "%_sbindir/iptables" iptables "%_sbindir/xtables-nft-multi" 2 \
+	--slave "%_sbindir/iptables-restore" iptables-restore "%_sbindir/xtables-nft-multi" \
+	--slave "%_sbindir/iptables-save" iptables-save "%_sbindir/xtables-nft-multi" \
+	--slave "%_sbindir/ip6tables" ip6tables "%_sbindir/xtables-nft-multi" \
+	--slave "%_sbindir/ip6tables-restore" ip6tables-restore "%_sbindir/xtables-nft-multi" \
+	--slave "%_sbindir/ip6tables-save" ip6tables-save "%_sbindir/xtables-nft-multi"
+update-alternatives --install "%_sbindir/arptables" arptables "%_sbindir/xtables-nft-multi" 2 \
+	--slave "%_sbindir/arptables-restore" arptables-restore "%_sbindir/xtables-nft-multi" \
+	--slave "%_sbindir/arptables-save" arptables-save "%_sbindir/xtables-nft-multi"
+update-alternatives --install "%_sbindir/ebtables" ebtables "%_sbindir/xtables-nft-multi" 2 \
+	--slave "%_sbindir/ebtables-restore" ebtables-restore "%_sbindir/xtables-nft-multi" \
+	--slave "%_sbindir/ebtables-save" ebtables-save "%_sbindir/xtables-nft-multi"
+
+%postun backend-nft
+if test "$1" = 0; then
+	update-alternatives --remove iptables "%_sbindir/xtables-nft-multi"
+	update-alternatives --remove arptables "%_sbindir/xtables-nft-multi"
+	update-alternatives --remove ebtables "%_sbindir/xtables-nft-multi"
+fi
+
 %post   -n libipq0 -p /sbin/ldconfig
 %postun -n libipq0 -p /sbin/ldconfig
 %post   -n libiptc0 -p /sbin/ldconfig
@@ -175,42 +216,70 @@ rm -f "%buildroot/%_libdir"/*.la
 %postun -n libxtables12 -p /sbin/ldconfig
 
 %files
-%defattr(-,root,root)
 %license COPYING
-%doc %_mandir/man1/ip*
-%doc %_mandir/man8/ip*
 %_bindir/iptables-xml
-%_sbindir/iptables
 %_sbindir/iptables-apply
-%_sbindir/iptables-batch
+%_sbindir/iptables-legacy*
+%_sbindir/iptables-nft*
+%_sbindir/iptables-*translate*
+%_sbindir/ip6tables-legacy*
+%_sbindir/ip6tables-nft*
+%_sbindir/ip6tables-*translate*
+%_sbindir/arptables-nft*
+%_sbindir/ebtables-nft*
+%_sbindir/xtables*
+%_mandir/man1/*tables*
+%_mandir/man8/*tables*
+# backend-legacy (implicit)
+%ghost %_sysconfdir/alternatives/iptables
+%ghost %_sysconfdir/alternatives/iptables-restore
+%ghost %_sysconfdir/alternatives/iptables-save
+%ghost %_sysconfdir/alternatives/ip6tables
+%ghost %_sysconfdir/alternatives/ip6tables-restore
+%ghost %_sysconfdir/alternatives/ip6tables-save
+%_sbindir/iptables
 %_sbindir/iptables-restore
 %_sbindir/iptables-save
 %_sbindir/ip6tables
-%_sbindir/ip6tables-batch
 %_sbindir/ip6tables-restore
 %_sbindir/ip6tables-save
-%_sbindir/xtables-multi
 
-%files nft
-%defattr(-,root,root)
-# is provided by netcfg
-%exclude %_sysconfdir/ethertypes
-%_sbindir/*-compat*
-%_sbindir/*-translate*
+%files backend-nft
+%ghost %_sysconfdir/alternatives/iptables
+%ghost %_sysconfdir/alternatives/iptables-restore
+%ghost %_sysconfdir/alternatives/iptables-save
+%ghost %_sysconfdir/alternatives/ip6tables
+%ghost %_sysconfdir/alternatives/ip6tables-restore
+%ghost %_sysconfdir/alternatives/ip6tables-save
+%ghost %_sysconfdir/alternatives/arptables
+%ghost %_sysconfdir/alternatives/arptables-restore
+%ghost %_sysconfdir/alternatives/arptables-save
+%ghost %_sysconfdir/alternatives/ebtables
+%ghost %_sysconfdir/alternatives/ebtables-restore
+%ghost %_sysconfdir/alternatives/ebtables-save
+%_sbindir/iptables
+%_sbindir/iptables-restore
+%_sbindir/iptables-save
+%_sbindir/ip6tables
+%_sbindir/ip6tables-restore
+%_sbindir/ip6tables-save
+%_sbindir/arptables
+%_sbindir/arptables-restore
+%_sbindir/arptables-save
+%_sbindir/ebtables
+%_sbindir/ebtables-restore
+%_sbindir/ebtables-save
 
 %files -n xtables-plugins
-%defattr(-,root,root)
 %_libdir/xtables/
 %_sbindir/nfnl_osf
 %_mandir/man8/nfnl_osf.8*
 %_datadir/xtables/
 
 %files -n libipq0
-%defattr(-,root,root)
 %_libdir/libipq.so.0*
 
 %files -n libipq-devel
-%defattr(-,root,root)
 %doc %_mandir/man3/libipq*
 %doc %_mandir/man3/ipq*
 %dir %_includedir/%name/
@@ -219,24 +288,20 @@ rm -f "%buildroot/%_libdir"/*.la
 %_libdir/pkgconfig/libipq.pc
 
 %files -n libiptc0
-%defattr(-,root,root)
 %_libdir/libiptc.so.0*
 %_libdir/libip4tc.so.0*
 %_libdir/libip6tc.so.0*
 
 %files -n libiptc-devel
-%defattr(-,root,root)
 %dir %_includedir/%name/
 %_includedir/%name/libiptc*
 %_libdir/libip*tc.so
 %_libdir/pkgconfig/libip*tc.pc
 
 %files -n libxtables12
-%defattr(-,root,root)
 %_libdir/libxtables.so.12*
 
 %files -n libxtables-devel
-%defattr(-,root,root)
 %dir %_includedir/%name/
 %_includedir/%name/xtables.h
 %_includedir/%name/xtables-version.h